1

I have two PowerShell scripts I'm building for a Windows 7 image. Prior to the image I run PRE-IMAGE.ps1, and it has a line like this in it:

$JoinDomainPassword = Read-Host -Prompt "Please enter the password for $joinDomainUser" -AsSecureString
$strPass = $joinDomainPassword | ConvertFrom-SecureString

I then save the the $strPass secure string to the registry, and run sysprep.

After a reboot with sysprep, the POST-IMAGE.ps1 then pulls $strPass from the registry, and has a line like this:

$strPass = $strPass | ConvertTo-SecureString
$credentials = New-Object System.Management.Automation.PSCredential ($JoinDomainUser, $strPass)

However, these lines in POST-IMAGE.ps1 get the "Key not valid" error you'll see when you run convertto-securestring and convertfrom-securestring as different Windows users. (similiar to this question) - but the catch here is I -AM- using the same user to convert to and from secure strings. I'm guessing this has something to do with sysprep - but I can't wrap my head around it.

I apologize if this has been asked about before, I've found a few questions that touch on parts of this, but don't describe my EXACT problem.

Community
  • 1
  • 1
Medos
  • 305
  • 1
  • 3
  • 9
  • Which user are you using, the built in Administrator user or a created user? – Scott Chamberlain Jan 06 '15 at 23:03
  • In the code example above, $joinDomainUser is a user on the domain who has permissions to add computer accounts. The script is being run as the local administrator. – Medos Jan 09 '15 at 22:46

1 Answers1

3

If you do not specify a key for the ConvertFrom-SecureString command, it will use DPAPI to encrypt the string. Sysprep apparently re-initializes the key used by DPAPI. From http://www.mombu.com/microsoft/security-crypto/t-local-machine-masterkey-in-dpapi-1053937-print.html

DPAPI will generate the local system master key during the specialization phase of sysprep.

Keith Hill
  • 194,368
  • 42
  • 353
  • 369
  • Thanks for the info Keith. I'm wondering now, since DPAPI isn't available, what the best way to store the credentials is. I know I can use the "-key" parameter to convert the securestrings with something other than DPAPI, but now I'm trying to figure out what the best (most secure) way to store and use that key is. Including it in the script is only slightly better than storing the password in clear text. – Medos Jan 09 '15 at 22:50
  • 1
    This won't help until V5 comes out (and maybe not even then) but have a look at this blog post http://bit.ly/CmsMessage. – Keith Hill Jan 10 '15 at 00:24